chore(release): 0.5.29 [skip ci]

## [0.5.29](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.28...v0.5.29) (2023-11-06)

### Bug Fixes

* **xwiki:** Update XWiki Helm configuration to enable LDAP and OIDC user synchronization ([7c56c72](7c56c7244f))

.gitlab-ci.yml

@@ -78,6 +78,12 @@ variables:
     options:
       - "yes"
       - "no"
+  DEPLOY_CRYPTPAD:
+    description: "Enable CryptPad deployment."
+    value: "no"
+    options:
+      - "yes"
+      - "no"
   DEPLOY_ELEMENT:
     description: "Enable Element deployment."
     value: "no"
@@ -342,6 +348,18 @@ collabora-deploy:
   variables:
     COMPONENT: "collabora"
 
+cryptpad-deploy:
+  stage: "component-deploy-stage-1"
+  extends: ".deploy-common"
+  rules:
+    - if: >
+          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
+          $NAMESPACE =~ /.+/ &&
+          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_NEXTCLOUD != "no" || $DEPLOY_CRYPTPAD != "no")
+      when: "always"
+  variables:
+    COMPONENT: "cryptpad"
+
 nextcloud-deploy:
   stage: "component-deploy-stage-1"
   extends: ".deploy-common"

CHANGELOG.md

@@ -1,3 +1,67 @@
+## [0.5.29](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.28...v0.5.29) (2023-11-06)
+
+
+### Bug Fixes
+
+* **xwiki:** Update XWiki Helm configuration to enable LDAP and OIDC user synchronization ([7c56c72](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/7c56c7244f3862b6b21627661430a94d804c6974))
+
+## [0.5.28](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.27...v0.5.28) (2023-11-06)
+
+
+### Bug Fixes
+
+* **open-xchange:** Add Document- and ImageConverter, improve LDAP address book filters ([899a8c5](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/899a8c5af9052634b98d9876dfbaea517d89ad49))
+
+## [0.5.27](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.26...v0.5.27) (2023-11-04)
+
+
+### Bug Fixes
+
+* **docs:** Re-include release artefacts ([4359b21](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/4359b21f1cdae91a87b87ad2b270d67a2b1eda21))
+
+## [0.5.26](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.25...v0.5.26) (2023-11-02)
+
+
+### Bug Fixes
+
+* **element:** Enables user directory search for all users ([8fafd90](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/8fafd906a3b0efa7e4164b357656d7903fc55371))
+
+## [0.5.25](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.24...v0.5.25) (2023-11-01)
+
+
+### Bug Fixes
+
+* **cryptpad:** Add CryptPad to support editing of diagrams.net files from within Nextcloud ([ab6014f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ab6014f8c6285785be5c56cd656fe0636df4434c))
+
+## [0.5.24](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.23...v0.5.24) (2023-11-01)
+
+
+### Bug Fixes
+
+* **collabora:** Update image to 23.05.5.3.1 ([38336d0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/38336d024033f4fe1a28b0f76f9c63ecdb076156))
+
+## [0.5.23](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.22...v0.5.23) (2023-11-01)
+
+
+### Bug Fixes
+
+* **element:** Update Element Web to latest release ([b47de62](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/b47de62f987e8778878fee55ecda3032beb55f3d))
+
+## [0.5.22](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.21...v0.5.22) (2023-10-31)
+
+
+### Bug Fixes
+
+* **openproject:** Nextcloud integration within K8s instances ([d249d0e](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/d249d0e3ce3ee0966033e870ea5c4d9e1928f045))
+
+## [0.5.21](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.20...v0.5.21) (2023-10-30)
+
+
+### Bug Fixes
+
+* **helmfile:** Deinstall components if disabled ([7feaadf](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/7feaadf7f8830d8d0d5df752733c9b8f47315df6))
+* **helmfile:** Put enviroments in first document inside of a yaml ([034e98c](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/034e98c850fa1f67300c04883904737a69448a25))
+
 ## [0.5.20](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.19...v0.5.20) (2023-10-30)
 
 

README.md

@@ -6,11 +6,20 @@ SPDX-License-Identifier: Apache-2.0
 
 [[_TOC_]]
 
-# Disclaimer August 2023
+# Disclaimer
 
-The current state of the Sovereign Workplace contains components that are going to be
+openDesk will face breaking changes in the near future without upgrade paths.
-replaced. Like for example the UCS dev container monolith will be substituted by
+
-multiple Univention Management Stack containers.
+While most components support upgrades, major configuration or component changes
+may occur, therefore we recommend always installing from scratch.
+
+Components that are going to be replaced soon are:
+- The UCS dev container monolith will be substituted by multiple Univention
+Management Stack containers,
+- the Nextcloud community container is going to be replaced by an openDesk
+specific Nextcloud distroless container and
+- Dovecot Community is going to be replaced by a Dovecot container tailored for the
+needs of the public sector.
 
 In the next months we not only expect upstream updates of the functional
 components within their feature scope, but we are also going to address
@@ -19,8 +28,6 @@ operational issues like monitoring and network policies.
 Of course, further development also includes enhancing the documentation.
 
 The first release of the Sovereign Workplace is scheduled for December 2023.
-Before that release there will be breaking changes in the deployment.
-
 
 # The Sovereign Workplace (SWP)
 
@@ -209,6 +216,7 @@ subdirectory `/helmfile/apps/services`.
 | ClamAV (Distributed)        | `clamavDistributed.enabled`         | `false` | Antivirus engine               | Eval       |
 | ClamAV (Simple)             | `clamavSimple.enabled`              | `true`  | Antivirus engine               | Eval       |
 | Collabora                   | `collabora.enabled`                 | `true`  | Weboffice                      | Functional |
+| CryptPad                    | `cryptpad.enabled`                  | `true`  | Weboffice                      | Functional |
 | Dovecot                     | `dovecot.enabled`                   | `true`  | Mail backend                   | Functional |
 | Element                     | `element.enabled`                   | `true`  | Secure communications platform | Functional |
 | Intercom Service            | `intercom.enabled`                  | `true`  | Cross service data exchange    | Functional |
@@ -315,6 +323,7 @@ actual scalability of the components (see column `Scaling (verified)`).
 |             | `replicas.icap`        | :white_check_mark:  | :white_check_mark: |
 |             | `replicas.milter`      | :white_check_mark:  | :white_check_mark: |
 | Collabora   | `replicas.collabora`   | :white_check_mark:  |       :gear:       |
+| CryptPad    | `replicas.cryptpad`    | :white_check_mark:  |       :gear:       |
 | Dovecot     | `replicas.dovecot`     |         :x:         |       :gear:       |
 | Element     | `replicas.element`     | :white_check_mark:  | :white_check_mark: |
 |             | `replicas.synapse`     |         :x:         |       :gear:       |
@@ -376,6 +385,7 @@ This list gives you an overview of default security settings and if they comply
 |             | icap                     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
 |             | milter                   | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
 | Collabora   | collabora                |        :x:         |                :x:                 | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) |        :white_check_mark:         |               :x:               |  :white_check_mark:   |    100    |    101     |   100   |
+| CryptPad    | cryptpad                 |        :x:         |                :x:                 |                                                                      :x:                                                                       |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |  4001   |
 | Element     | element                  | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   |
 |             | synapse                  | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   10991   |     -      |  10991  |
 |             | synapseWeb               | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   |
@@ -407,6 +417,7 @@ Helm Charts which are released via openDesk CI/CD process are always signed. The
 | bitnami-repo (openDesk build)        | yes | :white_check_mark: |
 | clamav-repo                          | yes | :white_check_mark: |
 | collabora-online-repo                | no  |        :x:         |
+| cryptpad-online-repo                 | no  |        :x:         |
 | intercom-service-repo                | yes | :white_check_mark: |
 | istio-resources-repo                 | yes | :white_check_mark: |
 | jitsi-repo                           | yes | :white_check_mark: |
@@ -516,6 +527,7 @@ flowchart TD
     J[Jitsi]-->K
     I[IntercomService]-->K
     C[Collabora]-->N
+    R[CryptPad]-->N
     F[Postfix]-->D
 ```
 

helmfile/apps/collabora/helmfile.yaml

@@ -1,5 +1,9 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
 ---
 repositories:
   # Collabora Online
@@ -16,12 +20,9 @@ releases:
     values:
       - "values.yaml"
       - "values.gotmpl"
-    condition: "collabora.enabled"
+    installed: {{ .Values.collabora.enabled }}
 
 commonLabels:
   deploy-stage: "component-1"
   component: "collabora"
-
-bases:
-  - "../../bases/environments.yaml"
 ...

helmfile/apps/cryptpad/helmfile.yaml

@@ -0,0 +1,28 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
+---
+repositories:
+  # CryptPad
+  # Source: https://github.com/cryptpad/helm
+  - name: "cryptpad-online-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://cryptpad.github.io/helm" }}
+
+releases:
+  - name: "cryptpad"
+    chart: "cryptpad-online-repo/cryptpad"
+    version: "0.0.13"
+    values:
+      - "values.yaml"
+      - "values.gotmpl"
+    installed: {{ .Values.cryptpad.enabled }}
+
+commonLabels:
+  deploy-stage: "component-1"
+  component: "cryptpad"
+...

helmfile/apps/cryptpad/values.gotmpl

@@ -0,0 +1,33 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+image:
+  repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.cryptpad.repository }}"
+  tag: {{ .Values.images.cryptpad.tag | quote }}
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+
+imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+  - name: {{ . | quote }}
+{{- end }}
+
+ingress:
+  enabled: {{ .Values.ingress.enabled }}
+  className: {{ .Values.ingress.ingressClassName | quote }}
+  hosts:
+    - host: "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}"
+      paths:
+        - path: "/"
+          pathType: "ImplementationSpecific"
+  tls:
+    - secretName: {{ .Values.ingress.tls.secretName | quote }}
+      hosts:
+        - "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}"
+
+replicaCount: {{ .Values.replicas.cryptpad }}
+
+resources:
+  {{ .Values.resources.cryptpad | toYaml | nindent 2 }}
+...

helmfile/apps/cryptpad/values.yaml

@@ -0,0 +1,45 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+# https://github.com/cryptpad/helm/blob/main/charts/cryptpad/README.md or
+# https://github.com/cryptpad/helm/blob/main/charts/cryptpad/values.yaml
+
+# Disable registration and access to unregistered users:
+# (https://docs.cryptpad.org/en/admin_guide/customization.html#application-config)
+
+application_config:
+  availablePadTypes:
+    - "diagram"
+
+# Deactivating public access breaks nextcloud plugin!
+#  registeredOnlyTypes:
+#    - "diagram"
+
+autoscaling:
+  enabled: false
+
+enableEmbedding: true
+
+fullnameOverride: "cryptpad"
+
+persistence:
+  enabled: false
+
+podSecurityContext:
+  fsGroup: 4001
+
+securityContext:
+  seccompProfile:
+    type: "RuntimeDefault"
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 1000
+
+serviceAccount:
+  create: true
+
+workloadStateful: false
+...

helmfile/apps/element/helmfile.yaml

@@ -1,5 +1,9 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
 ---
 repositories:
   # openDesk Element
@@ -33,7 +37,7 @@ releases:
     values:
       - "values-element.yaml"
       - "values-element.gotmpl"
-    condition: "element.enabled"
+    installed: {{ .Values.element.enabled }}
     timeout: 900
 
   - name: "opendesk-well-known"
@@ -42,7 +46,7 @@ releases:
     values:
       - "values-well-known.yaml"
       - "values-well-known.gotmpl"
-    condition: "element.enabled"
+    installed: {{ .Values.element.enabled }}
     timeout: 900
 
   - name: "opendesk-synapse-web"
@@ -51,7 +55,7 @@ releases:
     values:
       - "values-synapse-web.yaml"
       - "values-synapse-web.gotmpl"
-    condition: "element.enabled"
+    installed: {{ .Values.element.enabled }}
     timeout: 900
 
   - name: "opendesk-synapse"
@@ -60,7 +64,7 @@ releases:
     values:
       - "values-synapse.yaml"
       - "values-synapse.gotmpl"
-    condition: "element.enabled"
+    installed: {{ .Values.element.enabled }}
     timeout: 900
 
   - name: "opendesk-matrix-user-verification-service-bootstrap"
@@ -69,7 +73,7 @@ releases:
     values:
       - "values-matrix-user-verification-service-bootstrap.yaml"
       - "values-matrix-user-verification-service-bootstrap.gotmpl"
-    condition: "element.enabled"
+    installed: {{ .Values.element.enabled }}
     timeout: 900
 
   - name: "opendesk-matrix-user-verification-service"
@@ -78,7 +82,7 @@ releases:
     values:
       - "values-matrix-user-verification-service.yaml"
       - "values-matrix-user-verification-service.gotmpl"
-    condition: "element.enabled"
+    installed: {{ .Values.element.enabled }}
     timeout: 900
 
   - name: "matrix-neoboard-widget"
@@ -87,7 +91,7 @@ releases:
     values:
       - "values-matrix-neoboard-widget.yaml"
       - "values-matrix-neoboard-widget.gotmpl"
-    condition: "element.enabled"
+    installed: {{ .Values.element.enabled }}
     timeout: 900
 
   - name: "matrix-neochoice-widget"
@@ -96,7 +100,7 @@ releases:
     values:
       - "values-matrix-neochoice-widget.yaml"
       - "values-matrix-neochoice-widget.gotmpl"
-    condition: "element.enabled"
+    installed: {{ .Values.element.enabled }}
     timeout: 900
 
   - name: "matrix-neodatefix-widget"
@@ -105,7 +109,7 @@ releases:
     values:
       - "values-matrix-neodatefix-widget.yaml"
       - "values-matrix-neodatefix-widget.gotmpl"
-    condition: "element.enabled"
+    installed: {{ .Values.element.enabled }}
     timeout: 900
 
   - name: "matrix-neodatefix-bot-bootstrap"
@@ -114,7 +118,7 @@ releases:
     values:
       - "values-matrix-neodatefix-bot-bootstrap.yaml"
       - "values-matrix-neodatefix-bot-bootstrap.gotmpl"
-    condition: "element.enabled"
+    installed: {{ .Values.element.enabled }}
     timeout: 900
 
   - name: "matrix-neodatefix-bot"
@@ -123,13 +127,10 @@ releases:
     values:
       - "values-matrix-neodatefix-bot.yaml"
       - "values-matrix-neodatefix-bot.gotmpl"
-    condition: "element.enabled"
+    installed: {{ .Values.element.enabled }}
     timeout: 900
 
 commonLabels:
   deploy-stage: "component-1"
   component: "element"
-
-bases:
-  - "../../bases/environments.yaml"
 ...

helmfile/apps/element/values-synapse.yaml

@@ -3,6 +3,9 @@
 ---
 configuration:
   additionalConfiguration:
+    user_directory:
+      enabled: true
+      search_all_users: true
     room_prejoin_state:
       additional_event_types:
         - "m.space.parent"

helmfile/apps/intercom-service/helmfile.yaml

@@ -1,5 +1,9 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
 ---
 repositories:
   # Intercom Service
@@ -18,12 +22,9 @@ releases:
     version: "2.0.0"
     values:
       - "values.gotmpl"
-    condition: "intercom.enabled"
+    installed: {{ .Values.intercom.enabled }}
 
 commonLabels:
   deploy-stage: "component-1"
   component: "intercom-service"
-
-bases:
-  - "../../bases/environments.yaml"
 ...

helmfile/apps/jitsi/helmfile.yaml

@@ -1,5 +1,9 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
 ---
 repositories:
   # openDesk Jitsi
@@ -18,13 +22,10 @@ releases:
     version: "1.7.1"
     values:
       - "values-jitsi.gotmpl"
-    condition: "jitsi.enabled"
+    installed: {{ .Values.jitsi.enabled }}
     timeout: 900
 
 commonLabels:
   deploy-stage: "component-1"
   component: "jitsi"
-
-bases:
-  - "../../bases/environments.yaml"
 ...

helmfile/apps/keycloak-bootstrap/helmfile.yaml

@@ -1,5 +1,9 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
 ---
 repositories:
   # openDesk Keycloak Bootstrap
@@ -21,14 +25,11 @@ releases:
     values:
       - "values-bootstrap.gotmpl"
       - "values-bootstrap.yaml"
-    condition: "keycloak.enabled"
+    installed: {{ .Values.keycloak.enabled }}
     # as we have seen some slow clusters we want to ensure we not just fail due to a timeout.
     timeout: 1800
 
 commonLabels:
   deploy-stage: "component-1"
   component: "keycloak-bootstrap"
-
-bases:
-  - "../../bases/environments.yaml"
 ...

helmfile/apps/keycloak/helmfile.yaml

@@ -1,5 +1,9 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
 ---
 repositories:
   # VMWare Bitnami
@@ -32,7 +36,7 @@ releases:
     version: "2.0.0"
     values:
       - "values-theme.gotmpl"
-    condition: "keycloak.enabled"
+    installed: {{ .Values.keycloak.enabled }}
   - name: "keycloak"
     chart: "bitnami-repo/keycloak"
     version: "12.1.5"
@@ -41,7 +45,7 @@ releases:
       - "values-keycloak.yaml"
       - "values-keycloak-idp.yaml"
     wait: true
-    condition: "keycloak.enabled"
+    installed: {{ .Values.keycloak.enabled }}
   - name: "keycloak-extensions"
     chart: "keycloak-extensions-repo/keycloak-extensions"
     version: "0.1.0"
@@ -50,12 +54,9 @@ releases:
     values:
       - "values-extensions.yaml"
       - "values-extensions.gotmpl"
-    condition: "keycloak.enabled"
+    installed: {{ .Values.keycloak.enabled }}
 
 commonLabels:
   deploy-stage: "component-1"
   component: "keycloak"
-
-bases:
-  - "../../bases/environments.yaml"
 ...

helmfile/apps/nextcloud/helmfile.yaml

@@ -1,5 +1,9 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
 ---
 repositories:
   # openDesk Keycloak Bootstrap
@@ -30,7 +34,7 @@ releases:
     values:
       - "values-bootstrap.gotmpl"
       - "values-bootstrap.yaml"
-    condition: "nextcloud.enabled"
+    installed: {{ .Values.nextcloud.enabled }}
     timeout: 900
 
   - name: "nextcloud"
@@ -41,13 +45,10 @@ releases:
     values:
       - "values-nextcloud.gotmpl"
       - "values-nextcloud.yaml"
-    condition: "nextcloud.enabled"
+    installed: {{ .Values.nextcloud.enabled }}
     timeout: 900
 
 commonLabels:
   deploy-stage: "component-1"
   component: "nextcloud"
-
-bases:
-  - "../../bases/environments.yaml"
 ...

helmfile/apps/nextcloud/values-bootstrap.yaml

@@ -11,6 +11,9 @@ config:
     userOidc:
       username: "ncoidc"
 
+  cryptpad:
+    enabled: true
+
   ldapSearch:
     host: "univention-corporate-container"
 ...

helmfile/apps/open-xchange/helmfile.yaml

@@ -1,5 +1,9 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
 ---
 repositories:
   # openDesk Dovecot
@@ -35,18 +39,18 @@ releases:
     values:
       - "values-dovecot.yaml"
       - "values-dovecot.gotmpl"
-    condition: "dovecot.enabled"
+    installed: {{ .Values.dovecot.enabled }}
     timeout: 900
 
   - name: "open-xchange"
     chart: "openxchange-repo/appsuite-public-sector/charts/appsuite-public-sector"
-    version: "2.0.4"
+    version: "2.1.1"
     values:
       - "values-openxchange.yaml"
       - "values-openxchange.gotmpl"
       - "values-openxchange-enterprise-contact-picker.yaml"
       - "values-openxchange-enterprise-contact-picker.gotmpl"
-    condition: "oxAppsuite.enabled"
+    installed: {{ .Values.oxAppsuite.enabled }}
     timeout: 900
 
   - name: "opendesk-open-xchange-bootstrap"
@@ -54,13 +58,10 @@ releases:
     version: "1.3.1"
     values:
       - "values-openxchange-bootstrap.gotmpl"
-    condition: "oxAppsuite.enabled"
+    installed: {{ .Values.oxAppsuite.enabled }}
     timeout: 900
 
 commonLabels:
   deploy-stage: "component-1"
   component: "open-xchange"
-
-bases:
-  - "../../bases/environments.yaml"
 ...

helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.yaml

@@ -6,7 +6,7 @@ appsuite:
 
     properties:
       # Enterprise contact picker
-      com.openexchange.contacts.ldap.accounts: "opendesk"
+      com.openexchange.contacts.ldap.accounts: "opendesk,other,functional"
       com.openexchange.admin.bypassAccessCombinationChecks: "true"
       ENABLE_INTERNAL_USER_EDIT: "false"
 
@@ -153,7 +153,7 @@ appsuite:
             # allows to sort the attributes lexicographically, either "ascending" or "descending".
             dynamicAttributes:
               attributeName: "o"
-              contactFilterTemplate: "(&(univentionObjectType=users/user)(o=[value]))"
+              contactFilterTemplate: "(&(univentionObjectType=users/user)(isOxUser=OK)(o=[value]))"
               contactSearchScope: "sub"
               # refreshInterval: 1h
               refreshInterval: "5m"
@@ -174,6 +174,48 @@ appsuite:
                 - "Management"
                 - "Human Resources"
 
+        other:
+          name: "Other contacts"
+          ldapClientId: "contactsLdapClient"
+          mappings: "ucs"
+          folders:
+            mode: "static"
+            usedForSync:
+              protected: true
+              defaultValue: false
+            usedInPicker:
+              protected: false
+              defaultValue: true
+            shownInTree:
+              protected: false
+              defaultValue: true
+            static:
+              commonContactFilter: "(&(univentionObjectType=users/user)(isOxUser=OK)(!(o=*)))"
+              folders:
+                - name: "Ohne Organisation"
+                  contactFilter: "(&(univentionObjectType=users/user)(isOxUser=OK)(!(o=*)))"
+
+        functional:
+          name: "Functional mailboxes"
+          ldapClientId: "contactsLdapClient"
+          mappings: "functional"
+          folders:
+            mode: "static"
+            usedForSync:
+              protected: true
+              defaultValue: false
+            usedInPicker:
+              protected: false
+              defaultValue: true
+            shownInTree:
+              protected: false
+              defaultValue: true
+            static:
+              commonContactFilter: "(univentionObjectType=oxmail/functional_account)"
+              folders:
+                - name: "Funktionale Postfächer"
+                  contactFilter: "(univentionObjectType=oxmail/functional_account)"
+
       contacts-provider-ldap-mappings.yml:
         # Example definitions of contact property <-> LDAP attribute mappings.
         #
@@ -347,3 +389,9 @@ appsuite:
           # image_last_modified   :
           # Will be set automatically to "image/jpeg" if not defined.
           # image1_content_type   :
+
+        functional:
+          objectid: "mailPrimaryAddress"
+          displayname: "oxPersonal,cn,mailPrimaryAddress"
+          file_as: "oxPersonal,cn,mailPrimaryAddress"
+          email1: "mailPrimaryAddress"

helmfile/apps/open-xchange/values-openxchange.gotmpl

@@ -103,6 +103,9 @@ appsuite:
       oxguardpass: |
         {{ .Values.secrets.oxAppsuite.oxguardMC }}
         {{ .Values.secrets.oxAppsuite.oxguardRC }}
+    redis:
+      auth:
+        password: {{ .Values.secrets.redis.password | quote }}
     image:
       repository: {{ .Values.images.openxchangeCoreMW.repository }}
       tag: {{ .Values.images.openxchangeCoreMW.tag }}
@@ -139,6 +142,16 @@ appsuite:
       repository: {{ .Values.images.openxchangeCoreUIMiddleware.repository }}
       tag: {{ .Values.images.openxchangeCoreUIMiddleware.tag }}
       pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+    redis:
+      auth:
+        password: {{ .Values.secrets.redis.password | quote }}
+
+  core-documentconverter:
+    image:
+      repository: {{ .Values.images.openxchangeDocumentConverter.repository }}
+      tag: {{ .Values.images.openxchangeDocumentConverter.tag }}
+    resources:
+      {{- .Values.resources.oxDocumentConverter | toYaml | nindent 6 }}
 
   core-guidedtours:
     imagePullSecrets:
@@ -150,6 +163,11 @@ appsuite:
       tag: {{ .Values.images.openxchangeCoreGuidedtours.tag }}
       pullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
+  core-imageconverter:
+    image:
+      repository: {{ .Values.images.openxchangeImageConverter.repository }}
+      tag: {{ .Values.images.openxchangeImageConverter.tag }}
+
   guard-ui:
     imagePullSecrets:
     {{- range .Values.global.imagePullSecrets }}

helmfile/apps/open-xchange/values-openxchange.yaml

@@ -6,6 +6,9 @@ appsuite:
     ingressGateway:
       name: "opendesk-gateway-istio-gateway"
 
+  switchboard:
+    enabled: false
+
   core-mw:
     enabled: true
     masterAdmin: "admin"
@@ -63,6 +66,8 @@ appsuite:
       com.openexchange.mail.filter.credentialSource: "mail"
       com.openexchange.mail.filter.server: "dovecot"
       com.openexchange.mail.filter.preferredSaslMech: "XOAUTH2"
+      # Dovecot
+      com.openexchange.imap.attachmentMarker.enabled: "true"
       # Capabilities
       # Old capability can be used to toggle all integrations with a single switch
       com.openexchange.capability.public-sector: "true"
@@ -78,6 +83,7 @@ appsuite:
       com.openexchange.capability.smime: "true"
       com.openexchange.capability.share_links: "false"
       com.openexchange.capability.invite_guests: "false"
+      com.openexchange.capability.document_preview: "true"
       # Secondary Accounts
       com.openexchange.mail.secondary.authType: "XOAUTH2"
       com.openexchange.mail.transport.secondary.authType: "xoauth2"
@@ -89,6 +95,8 @@ appsuite:
       com.openexchange.gdpr.dataexport.enabled: "false"
       com.openexchange.gdpr.dataexport.active: "false"
       # Guard
+      com.openexchange.guard.storage.file.fileStorageType: "file"
+      com.openexchange.guard.storage.file.uploadDirectory: "/opt/open-xchange/guard-files/"
       com.openexchange.guard.guestSMTPServer: "postfix"
       # S/MIME
       # Usage (in browser console after login):
@@ -139,10 +147,31 @@ appsuite:
         oidcLogin: true
         oidcPath: "/oidc"
 
+    redis:
+      enabled: true
+      mode: "standalone"
+      hosts:
+        - "redis-master"
+
+    hooks:
+      beforeAppsuiteStart:
+        create-guard-dir.sh: |
+          mkdir -p /opt/open-xchange/guard-files
+          chown open-xchange:open-xchange /opt/open-xchange/guard-files
+
   core-ui:
     enabled: true
+
   core-ui-middleware:
     enabled: true
+    overrides: {}
+    redis:
+      mode: "standalone"
+      hosts:
+        - "redis-master:6379"
+      auth:
+        enabled: true
+
   core-guidedtours:
     enabled: true
   guard-ui:
@@ -151,12 +180,26 @@ appsuite:
     enabled: false
   core-user-guide:
     enabled: true
+
   core-imageconverter:
-    enabled: false
+    enabled: true
+    objectCache:
+      s3ObjectStores:
+        - id: -1
+          endpoint: "."
+          accessKey: "."
+          secretKey: "."
+
   core-spellcheck:
     enabled: false
+
   core-documentconverter:
-    enabled: false
+    enabled: true
+    documentConverter:
+      cache:
+        remoteCache:
+          enabled: false
+
   core-documents-collaboration:
     enabled: false
   office-web:

helmfile/apps/openproject/helmfile.yaml

@@ -1,5 +1,9 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
 ---
 repositories:
   # OpenProject
@@ -18,13 +22,10 @@ releases:
     values:
       - "values.yaml"
       - "values.gotmpl"
-    condition: "openproject.enabled"
+    installed: {{ .Values.openproject.enabled }}
     timeout: 900
 
 commonLabels:
   deploy-stage: "component-1"
   component: "openproject"
-
-bases:
-  - "../../bases/environments.yaml"
 ...

helmfile/apps/provisioning/helmfile.yaml

@@ -1,5 +1,9 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
 ---
 repositories:
   # OX Connector
@@ -15,12 +19,9 @@ releases:
     values:
       - "values-oxconnector.yaml"
       - "values-oxconnector.gotmpl"
-    condition: "oxConnector.enabled"
+    installed: {{ .Values.oxConnector.enabled }}
 
 commonLabels:
   deploy-stage: "component-2"
   component: "provisioning"
-
-bases:
-  - "../../bases/environments.yaml"
 ...

helmfile/apps/services/helmfile.yaml

@@ -1,5 +1,9 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
 ---
 repositories:
   # openDesk Certificates
@@ -74,28 +78,28 @@ releases:
     version: "2.1.0"
     values:
       - "values-certificates.gotmpl"
-    condition: "certificates.enabled"
+    installed: {{ .Values.certificates.enabled }}
   - name: "redis"
     chart: "bitnami-repo/redis"
     version: "18.1.2"
     values:
       - "values-redis.gotmpl"
       - "values-redis.yaml"
-    condition: "redis.enabled"
+    installed: {{ .Values.redis.enabled }}
   - name: "memcached"
     chart: "bitnami-repo/memcached"
     version: "6.6.2"
     values:
       - "values-memcached.yaml"
       - "values-memcached.gotmpl"
-    condition: "memcached.enabled"
+    installed: {{ .Values.memcached.enabled }}
   - name: "postgresql"
     chart: "postgresql-repo/postgresql"
     version: "2.0.2"
     values:
       - "values-postgresql.yaml"
       - "values-postgresql.gotmpl"
-    condition: "postgresql.enabled"
+    installed: {{ .Values.postgresql.enabled }}
     timeout: 900
   - name: "mariadb"
     chart: "mariadb-repo/mariadb"
@@ -103,7 +107,7 @@ releases:
     values:
       - "values-mariadb.yaml"
       - "values-mariadb.gotmpl"
-    condition: "mariadb.enabled"
+    installed: {{ .Values.mariadb.enabled }}
     timeout: 900
   - name: "postfix"
     chart: "postfix-repo/postfix"
@@ -111,33 +115,30 @@ releases:
     values:
       - "values-postfix.yaml"
       - "values-postfix.gotmpl"
-    condition: "postfix.enabled"
+    installed: {{ .Values.postfix.enabled }}
   - name: "clamav"
     chart: "clamav-repo/opendesk-clamav"
     version: "4.0.0"
     values:
       - "values-clamav-distributed.yaml"
       - "values-clamav-distributed.gotmpl"
-    condition: "clamavDistributed.enabled"
+    installed: {{ .Values.clamavDistributed.enabled }}
   - name: "clamav-simple"
     chart: "clamav-repo/clamav-simple"
     version: "4.0.0"
     values:
       - "values-clamav-simple.yaml"
       - "values-clamav-simple.gotmpl"
-    condition: "clamavSimple.enabled"
+    installed: {{ .Values.clamavSimple.enabled }}
   - name: "opendesk-gateway"
     chart: "istio-resources-repo/istio-gateway"
     version: "2.0.0"
     values:
       - "values-istio-gateway.yaml"
       - "values-istio-gateway.gotmpl"
-    condition: "istio.enabled"
+    installed: {{ .Values.istio.enabled }}
 
 commonLabels:
   deploy-stage: "services"
   component: "services"
-
-bases:
-  - "../../bases/environments.yaml"
 ...

helmfile/apps/univention-corporate-container/helmfile.yaml

@@ -1,5 +1,9 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
 ---
 repositories:
   # openDesk Univention Corporate Server (as eval Container)
@@ -20,12 +24,9 @@ releases:
     values:
       - "values.yaml"
       - "values.gotmpl"
-    condition: "univentionCorporateServer.enabled"
+    installed: {{ .Values.univentionCorporateServer.enabled }}
 
 commonLabels:
   deploy-stage: "component-1"
   component: "univention-corporate-container"
-
-bases:
-  - "../../bases/environments.yaml"
 ...

helmfile/apps/univention-management-stack/helmfile.yaml

@@ -4,6 +4,7 @@
 bases:
   - "../../bases/environments.yaml"
 
+---
 repositories:
   # Univention Management Stack
   - name: "ums-repo"
@@ -19,7 +20,7 @@ releases:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-store-dav.gotmpl"
-    condition: "univentionManagementStack.enabled"
+    installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-ldap-server"
     chart: "ums-repo/ldap-server"
     version: "0.1.0"
@@ -27,7 +28,7 @@ releases:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-ldap-server.gotmpl"
-    condition: "univentionManagementStack.enabled"
+    installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-ldap-notifier"
     chart: "ums-repo/ldap-notifier"
     version: "0.1.0"
@@ -36,7 +37,7 @@ releases:
       - "values-common.yaml"
       - "values-ldap-notifier.gotmpl"
       - "values-ldap-notifier.yaml"
-    condition: "univentionManagementStack.enabled"
+    installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-udm-rest-api"
     chart: "ums-repo/udm-rest-api"
     version: "0.1.0"
@@ -44,7 +45,7 @@ releases:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-udm-rest-api.gotmpl"
-    condition: "univentionManagementStack.enabled"
+    installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-stack-data-ums"
     chart: "ums-repo/stack-data-ums"
     version: "0.1.0"
@@ -52,7 +53,7 @@ releases:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-stack-data-ums.gotmpl"
-    condition: "univentionManagementStack.enabled"
+    installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-stack-data-swp"
     chart: "ums-repo/stack-data-swp"
     version: "0.1.0"
@@ -60,7 +61,7 @@ releases:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-stack-data-swp.gotmpl"
-    condition: "univentionManagementStack.enabled"
+    installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-portal-server"
     chart: "ums-repo/portal-server"
     version: "0.1.0"
@@ -68,7 +69,7 @@ releases:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-portal-server.gotmpl"
-    condition: "univentionManagementStack.enabled"
+    installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-notifications-api"
     chart: "ums-repo/notifications-api"
     version: "0.1.0"
@@ -77,7 +78,7 @@ releases:
       - "values-common.yaml"
       - "values-notifications-api.gotmpl"
       - "values-notifications-api.yaml"
-    condition: "univentionManagementStack.enabled"
+    installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-portal-listener"
     chart: "ums-repo/portal-listener"
     version: "0.1.0"
@@ -86,7 +87,7 @@ releases:
       - "values-common.yaml"
       - "values-portal-listener.gotmpl"
       - "values-portal-listener.yaml"
-    condition: "univentionManagementStack.enabled"
+    installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-portal-frontend"
     chart: "ums-repo/portal-frontend"
     version: "0.1.0"
@@ -94,7 +95,7 @@ releases:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-portal-frontend.gotmpl"
-    condition: "univentionManagementStack.enabled"
+    installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-umc-gateway"
     chart: "ums-repo/umc-gateway"
     version: "0.1.0"
@@ -103,7 +104,7 @@ releases:
       - "values-common.yaml"
       - "values-umc-gateway.gotmpl"
       - "values-umc-gateway.yaml"
-    condition: "univentionManagementStack.enabled"
+    installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-umc-server"
     chart: "ums-repo/umc-server"
     version: "0.1.0"
@@ -111,8 +112,9 @@ releases:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-umc-server.gotmpl"
-    condition: "univentionManagementStack.enabled"
+    installed: {{ .Values.univentionManagementStack.enabled }}
 
 commonLabels:
   deploy-stage: "component-1"
   component: "univention-management-stack"
+...

helmfile/apps/xwiki/helmfile.yaml

@@ -1,5 +1,9 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
 ---
 repositories:
   # XWiki
@@ -17,13 +21,10 @@ releases:
     values:
       - "values.yaml"
       - "values.gotmpl"
-    condition: "xwiki.enabled"
+    installed: {{ .Values.xwiki.enabled }}
     timeout: 900
 
 commonLabels:
   deploy-stage: "component-1"
   component: "xwiki"
-
-bases:
-  - "../../bases/environments.yaml"
 ...

helmfile/apps/xwiki/values.gotmpl

@@ -18,13 +18,13 @@ customConfigs:
   "xwiki.cfg":
     "xwiki.superadminpassword": "{{ .Values.secrets.xwiki.superadminpassword }}"
     ## LDAP Server configuration
-    # "xwiki.authentication.ldap.server": "univention-corporate-container"
+    xwiki.authentication.ldap.server: "univention-corporate-container"
-    # xwiki.authentication.ldap.port: 389
+    xwiki.authentication.ldap.port: 389
     ## Authentication to the LDAP server
-    # xwiki.authentication.ldap.bind_DN: "uid=ldapsearch_xwiki,cn=users,dc=swp-ldap,dc=internal"
+    xwiki.authentication.ldap.bind_DN: "uid=ldapsearch_xwiki,cn=users,dc=swp-ldap,dc=internal"
-    # xwiki.authentication.ldap.bind_pass: "{{ .Values.secrets.univentionCorporateServer.ldapSearch.xwiki }}"
+    xwiki.authentication.ldap.bind_pass: "{{ .Values.secrets.univentionCorporateServer.ldapSearch.xwiki }}"
     ## Base DN used for searching for users
-    # xwiki.authentication.ldap.base_DN: "dc=swp-ldap,dc=internal"
+    xwiki.authentication.ldap.base_DN: "dc=swp-ldap,dc=internal"
 
   "xwiki.properties":
     "oidc.endpoint.authorization": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/auth"
@@ -43,8 +43,8 @@ properties:
   "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-bg": "{{ .Values.theme.colors.white }}"
   "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-link-hover-bg": "{{ .Values.theme.colors.secondaryGreyLight }}"
   ## Link LDAP users and users authenticated through OIDC
-  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.addOIDCObject": 1
+  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.addOIDCObject": 1
-  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.OIDCIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
+  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.OIDCIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
 
 ingress:
   enabled: {{ .Values.ingress.enabled }}

helmfile/apps/xwiki/values.yaml

@@ -8,7 +8,7 @@ customConfigs:
   xwiki.cfg:
     xwiki.url.protocol: "https"
     ## Indicate the LDAP field defining the user UID
-    # xwiki.authentication.ldap.UID_attr: "uid"
+    xwiki.authentication.ldap.UID_attr: "uid"
     ## Indicate the LDAP field defining the user profile picture
     # xwiki.authentication.ldap.photo_attribute: "jpegPhoto"
     ## Enable the synchronization of the LDAP profile picture
@@ -17,8 +17,8 @@ customConfigs:
   xwiki.properties:
     oidc.scope: "openid,profile,email,address,phoenix"
     oidc.endpoint.userinfo.method: "GET"
-    oidc.user.nameFormater: "${oidc.user.phoenixusername._lowerCase}"
+    oidc.user.nameFormater: "${oidc.user.phoenixusername._clean._lowerCase}"
-    oidc.user.subjectFormater: "${oidc.user.subject}"
+    oidc.user.subjectFormater: "${oidc.user.phoenixusername._lowerCase}"
     # yamllint disable-line rule:line-length
     oidc.userinfoclaims: "xwiki_user_accessibility,xwiki_user_company,xwiki_user_displayHiddenDocuments,xwiki_user_editor,xwiki_user_usertype"
     oidc.clientid: "xwiki"
@@ -67,21 +67,18 @@ properties:
 
   "property:xwiki:XWiki.AuthService.Configuration^XWiki.AuthService.ConfigurationClass.authService": "oidc"
   ## Fields to search in when importing users from the administration UI (not completely in scope for now)
-  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapUserAttributes":
+  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapUserAttributes": "sn,givenname,uid"
-  #   "sn,givenname,uid"
   ## Restrict user import in the UI to global administrators
-  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.usersAllowedToImport": "globalAdmin"
+  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.usersAllowedToImport": "globalAdmin"
   ## Enable group and user synchronization
-  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.triggerGroupsUpdate": 1
+  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.triggerGroupsUpdate": 1
-  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.triggerGroupImport": 1
+  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.triggerGroupImport": 1
-  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.forceXWikiUsersGroupMembershipUpdate":
+  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.forceXWikiUsersGroupMembershipUpdate": 1
-  #   1
   ## Base DN under which groups should be searched for
-  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchDN":
+  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchDN": "dc=swp-ldap,dc=internal"
-  #  "dc=swp-ldap,dc=internal"
   ## LDAP filter to only synchronize some groups
-  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchFilter":
+  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchFilter":
-  #   "(&(objectClass=opendeskKnowledgemanagementGroup)(opendeskKnowledgemanagementEnabled=TRUE))"
+    "(&(objectClass=opendeskKnowledgemanagementGroup)(opendeskKnowledgemanagementEnabled=TRUE))"
 
 securityContext:
   enabled: true

helmfile/environments/default/database.yaml

@@ -27,7 +27,7 @@ databases:
     password: ""
   oxAppsuite:
     host: "mariadb"
-    name: "CONFIGDB"
+    name: "configdb"
     username: "root"
     password: ""
   synapse:

helmfile/environments/default/global.yaml

@@ -9,6 +9,7 @@ global:
   #
   hosts:
     collabora: "collabora"
+    cryptpad: "cryptpad"
     dimension: "integration"
     element: "chat"
     etherpad: "etherpad"

helmfile/environments/default/images.yaml

@@ -8,15 +8,19 @@ images:
     # @supplier: "openDesk DevSecOps"
   collabora:
     repository: "souvap/tooling/images/collabora"
-    tag: "23.05.4.2.1@sha256:ee9ce83811700f1ff57e1218d22388dbaca96306df33f82aa14b334c5302285a"
+    tag: "23.05.5.3.1@sha256:496c913527ce83feb3fe2383d710851aa3781ffa56d200c75def74904d32adc3"
     # @supplier: "Collabora"
+  cryptpad:
+    repository: "cryptpad/cryptpad"
+    tag: "opendesk-20231020@sha256:b0bfe09601d8c8064e1b174d21a225ddb10aaa4103892fdfdf3d216726c26dde"
+    # @supplier: "XWiki"
   dovecot:
     repository: "dovecot/dovecot"
     tag: "2.3.20@sha256:96d414aa3f6978669b417f6468c16313a54ee6143a4846870e9f0eda280806e7"
     # @supplier: "Open-Xchange"
   element:
     repository: "souvap/tooling/images/element-web"
-    tag: "1.4.0@sha256:81fd60c8feba4cfc65de3cf950d4b5ca724cabcc46da279edec74af192ecff00"
+    tag: "1.5.0@sha256:d690c485c971f52ba2ab8e1011aa039a2e32ec1ffb504826f4fa050aa989067a"
     # @supplier: "Element"
   freshclam:
     repository: "clamav/clamav"
@@ -114,7 +118,7 @@ images:
     # @supplier: "Nextcloud Community"
   openproject:
     repository: "openproject/open_desk"
-    tag: "dev@sha256:e907515ebbc758ea93b7efd9209c27a449e99adc0a3fc725a73c89508140a2f4"
+    tag: "dev@sha256:ca5b843fd7f0687617ce3038a52fd6ac73fb4e9db7b762b8ac7d5090f168f0b1"
     # @supplier: "OpenProject"
   openxchangeBootstrap:
     repository: "alpine/k8s"
@@ -122,39 +126,47 @@ images:
     # @supplier: "Open-Xchange"
   openxchangeCoreGuidedtours:
     repository: "appsuite-public-sector/core-guidedtours"
-    tag: "8.5.1@sha256:469457562a378cca50460e08d9437a954fc6f19622f18128fa74979f7905ecd9"
+    tag: "8.6.0@sha256:6c20780f8c609636f2182c41709e2ee26586b4a23679fd13b15875a5f443445b"
     # @supplier: "Open-Xchange"
   openxchangeCoreMW:
     repository: "appsuite-public-sector/middleware-public-sector"
-    tag: "8.16.60@sha256:269c5b72f380c49ba1888c4300c409745d2ce757ca0b269afe1e8ac9bb26f028"
+    tag: "8.19.33@sha256:369c44369d727e4172f10c25137dbb00d936d20dd844cdca3a34f7f31273ea05"
     # @supplier: "Open-Xchange"
   openxchangeCoreUI:
     repository: "appsuite-public-sector/core-ui"
-    tag: "8.16.5@sha256:4f4dd4e36fb8a1b493c195e38e2f13b87c9582bfcdc3d23b646698fce2ffef8c"
+    tag: "8.19.0@sha256:7fdd73f78fd7094f2968f6fcaaae175e60824f9ef68f9e7e70418de6a2b623e9"
     # @supplier: "Open-Xchange"
   openxchangeCoreUIMiddleware:
     repository: "appsuite-public-sector/core-ui-middleware"
-    tag: "1.8.4@sha256:c707fbd5496c894f201dab8f4e78aad98f1ad80c8058778f04dfa5e6e201ed64"
+    tag: "2.0.0@sha256:8082edf30498a3ac1715f2d9b3e406f240ea586e2616b97f40c207ef55dff11f"
     # @supplier: "Open-Xchange"
   openxchangeCoreUserGuide:
     repository: "appsuite-public-sector/core-user-guide"
-    tag: "8.16.727397@sha256:5d8dbf9a91456dea59a235b495dcd002b971e2b23ef6c3a2ea5fd2071664e2a4"
+    tag: "8.19.771856@sha256:e00ed8f94c3c42cd288dd03f7fb18d228eb516b5e5ebd318825289b1c4ed17ab"
     # @supplier: "Open-Xchange"
-  openxchangeGuardUI:
+  openxchangeDocumentConverter:
-    repository: "appsuite-public-sector/guard-ui"
+    repository: "appsuite-public-sector/documentconverter"
-    tag: "4.0.6@sha256:7bb8fdf944228dd78a5c33bbd8d0019d5a9e4ce1c35bda674166f2febc5d9a02"
+    tag: "8.19.32@sha256:82354e858b6aeeae7f0ebaf66ad106f8e9ae46e605e97bb1d2d14e6ce1c3d708"
-    # @supplier: "Open-Xchange"
-  openxchangeNextcloudIntegrationUI:
-    repository: "appsuite-public-sector/nextcloud-integration-ui"
-    tag: "1.0.5@sha256:cad4ecba431f84b8627d2e541cfea773d5ef54b65d847fa8f7e3fd0d63156497"
-    # @supplier: "Open-Xchange"
-  openxchangePublicSectorUI:
-    repository: "appsuite-public-sector/public-sector-ui"
-    tag: "2.0.1@sha256:8df90f6dfb59008567d8ded0dbd17b8f92f409c78ba2cf4ab2a39e1b23e34d3b"
     # @supplier: "Open-Xchange"
   openxchangeGotenberg:
     repository: "appsuite-public-sector/3rdparty/gotenberg"
-    tag: "7.8.2@sha256:34af7b6d21c02b8183785177f5f3f1731633d72ec69e1f2ecdb8b43747887f62"
+    tag: "7.9.2@sha256:c97c1adb971d149222062ec46c5d749d710b38ad153c5c6ed954023e2401c9d0"
+    # @supplier: "Open-Xchange"
+  openxchangeGuardUI:
+    repository: "appsuite-public-sector/guard-ui"
+    tag: "4.0.7@sha256:8c9fa5d6aed055c0e84042ab28b3f0e9add94390362266ad440da4f90b8c93a8"
+    # @supplier: "Open-Xchange"
+  openxchangeImageConverter:
+    repository: "appsuite-public-sector/imageconverter"
+    tag: "8.19.33@sha256:9543c1409a129567bd6e4a657a353819842a4b1e1807ab86a1ea2e7f73f8c18e"
+    # @supplier: "Open-Xchange"
+  openxchangeNextcloudIntegrationUI:
+    repository: "appsuite-public-sector/nextcloud-integration-ui"
+    tag: "1.1.0@sha256:82cecb5adac63806ab41546e6b49090a93a5f4645750bb3967d87585b60df2e1"
+    # @supplier: "Open-Xchange"
+  openxchangePublicSectorUI:
+    repository: "appsuite-public-sector/public-sector-ui"
+    tag: "2.1.0@sha256:ed56730add8afdb08bef8b43a114aba406fd86d83c7fd7af93dc16bb002fa233"
     # @supplier: "Open-Xchange"
   oxConnector:
     repository: "souvap/tooling/images/ox-connector/ox-connector-standalone"
@@ -269,6 +281,6 @@ images:
     # @supplier: "Element"
   xwiki:
     repository: "xwikisas/swp/xwiki"
-    tag: "0.11-mariadb-jetty-alpine@sha256:a334e18d171458ed41ef356e82580561f48b0edf60b4979dc4ed9503eb497c59"
+    tag: "0.12-mariadb-jetty-alpine@sha256:c195d8baf38b6c6b0c533a3216e726cd863a6c2ba0e65f18036402592bb72896"
     # @supplier: "XWiki"
 ...

helmfile/environments/default/replicas.yaml

@@ -7,6 +7,7 @@ replicas:
   # clamav-distributed
   clamd: 1
   collabora: 1
+  cryptpad: 1
   dovecot: 1
   element: 1
   # clamav-distributed

helmfile/environments/default/resources.yaml

@@ -16,6 +16,13 @@ resources:
     requests:
       cpu: 0.1
       memory: "16Mi"
+  cryptpad:
+    limits:
+      cpu: 2
+      memory: "2Gi"
+    requests:
+      cpu: 0.1
+      memory: "512Mi"
   dovecot:
     limits:
       cpu: 0.5
@@ -184,6 +191,13 @@ resources:
     requests:
       cpu: 0.1
       memory: "250Mi"
+  oxDocumentConverter:
+    limits:
+      cpu: 2
+      memory: "2Gi"
+    requests:
+      cpu: 0.25
+      memory: "1Gi"
   postfix:
     limits:
       cpu: 0.5

helmfile/environments/default/workplace.yaml

@@ -9,6 +9,8 @@ clamavSimple:
   enabled: true
 collabora:
   enabled: true
+cryptpad:
+  enabled: true
 dovecot:
   enabled: true
 element: